Announced at Build: new capabilities for data security and workload optimization

Aria Jelinek

Today at Microsoft Build 2021, we are announcing updates to provide developers with more options for data security and workload optimization on Azure Cosmos DB.

For developers working with confidential data, you can now encrypt data in your client application before storing it in the cloud with Always Encrypted for Azure Cosmos DB (in preview). This provides an extra level of protection for sensitive data and makes cloud NoSQL accessible for datasets that must comply with regulatory requirements. For more details on Always Encrypted, check out these resources.

It is also easier than ever to customize data access with Azure Cosmos DB role-based access control, now generally available. With RBAC, you can set up role definitions based on allowed actions then assign those roles to a user or device’s Azure Active Directory (AAD) identity. This opens the door to more control and less hassle when providing and revoking access, defining exactly who can do what, and tracking data access and activity. Read our blog post from this March for more details on RBAC.

For developers with read-heavy workloads, you now have new options to optimize costs and latency with Azure Cosmos DB integrated cache (in preview). The built-in cache is easy to set up and developers won’t need to spend time writing custom code for cache invalidation or modifying their application’s logic. See below for a deeper dive on this feature.

And finally, we are excited to announce that partial document update is coming soon! This feature will help developers achieve lower latency and reduced network payload by supporting path-level document changes rather than a full read-replace when modifying a portion of a document stored on Azure Cosmos DB. Customers are welcome to get started now by joining our private preview.

Note: This is one of two posts on Azure Cosmos DB updates at Build 2021. For more details on how to build cost-effective apps at any scale, check out our blog post here.


Spotlight on the NEW integrated cache:

The Azure Cosmos DB integrated cache is an in-memory cache that helps you ensure manageable costs and low latency reads as your request volume grows.

What to expect:
  • Optimized specifically for use with Azure Cosmos DB
  • Uses the same connection string as the rest of your Azure Cosmos DB account
  • Currently available for Core (SQL) API only (support for other APIs coming soon)
  • Provides multi-region support
  • Enabled by provisioning a dedicated gateway (dedicated compute resources billed hourly) for your Azure Cosmos DB account
How it works:

Without integrated cache enabled: All read requests hit the operational database and are charged accordingly based on request units (RUs) used.

diagram of app requesting data

With integrated cache enabled: Read requests are cached by the dedicated gateway (billed hourly based on selected size of dedicated compute resources); repeated query requests hit the integrated cache rather than the operational database and do not incur incremental request unit charges.

Diagram of app requesting data from the cache

When to use it:
  1. Cost savings for read-heavy workloads with relatively static data or workloads with many repeated queries or point reads on the same items
  2. Apps that require the lowest possible read times; improves latency for point reads and for repeated queries
  3. Avoiding a “hot” partition key which could otherwise result in inefficient use of provisioned throughput and higher costs
  4. Avoiding repeated high RU queries by configuring how often an expensive query will run based if there is some tolerance for query staleness

For more details and information on getting started with the Azure Cosmos DB integrated cache, check out our technical documentation.


For more information on all Azure Cosmos DB updates:

New to Azure Cosmos DB?



Discussion is closed. Login to edit/delete existing comments.

  • David Baker 0

    Thanks for the updates. Very exciting!

    – Are you using Redis internally for integrated cache or is it a custom implementation?
    – I’d also like to know if you have any input on whether integrated cache is replacing Redis in some ways or supposed to supplement it?
    – It’d be great if the database can handle data compression natively and we could benefit from staggered pricing on storage. Maybe a future update will provide these. 🙂

    • Mark BrownMicrosoft employee 0

      It’s a bespoke implementation. Not intended to replace Redis. We will continue to fully support Redis on Azure.

      Hope you enjoy!

Feedback usabilla icon